Authentication (sec-auth)

Name: Brinkhaus FleetManager
Author: Brinkhaus GmbH

Monitors failed login attempts, root/administrator logins, and SSH configuration. Detects brute-force attacks and insecure SSH settings.

Configuration

Parameter	Type	Default	Description
`enabled`	bool	`true`	Enable/disable module
`failed_login_threshold`	int	`5`	Threshold for failed logins per IP
`failed_login_window_minutes`	int	`15`	Time window for login counting (minutes)
`alert_on_root_login`	bool	`true`	Alert on root/admin login
`root_login_allowed_ips`	list	`[]`	IPs from which root login is allowed
`audit_ssh_config`	bool	`true`	Check SSH configuration (Linux only)
`ssh_config_path`	string	`/etc/ssh/sshd_config`	Path to sshd_config
`expected_permit_root_login`	string	`no`	Expected PermitRootLogin value
`expected_password_auth`	string	`no`	Expected PasswordAuthentication value
`log_paths`	list	`[]`	Additional auth log paths
`use_journalctl`	bool/null	`null`	Force journalctl (`true`) or auto-detect (`null`)

YAML Example

sec_auth:
  enabled: true
  failed_login_threshold: 10
  failed_login_window_minutes: 30
  alert_on_root_login: true
  root_login_allowed_ips:
    - "10.0.0.1"
  audit_ssh_config: true
  expected_permit_root_login: "no"
  expected_password_auth: "no"

Diagnostic Codes

Code	Severity	Meaning	Recommendation
4000	0	No authentication issues detected	—
4001	1–2	Many failed logins from a single IP	Investigate IP, consider blocking (fail2ban)
4002	1–2	Root/admin login from external IP detected	Restrict access, use SSH keys
4003	1	Failed sudo attempts or account changes	Investigate affected accounts
4090	1	Auth logs not readable	Check permissions, test journalctl
6001	1	SSH allows root login	Set `PermitRootLogin no` in sshd_config
6002	1	SSH allows password authentication	Set `PasswordAuthentication no`, use SSH keys

Platform Support

Linux: Reads /var/log/auth.log or journalctl -u ssh. SSH configuration auditing.
Windows: Evaluates the Security Event Log (Event IDs 4625, 4624, etc.).